About the security content of OS X Yosemite v10.10.4 and Security Update 2015-005

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

Description: Directory Utility was able to be moved and modified to achieve code execution within an entitled process. This issue was addressed by limiting the disk location that writeconfig clients may be executed from.

CVE-ID

CVE-2015-3673 : Patrick Wardle of Synack, Emil Kvarnhammar at TrueSec

afpserver

Available for: OS X Yosemite v10.10 to v10.10.3

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A memory corruption issue existed in the AFP server. This issue was addressed through improved memory handling.

CVE-ID

CVE-2015-3674 : Dean Jerkovich of NCC Group

apache

Available for: OS X Yosemite v10.10 to v10.10.3

Impact: An attacker may be able to access directories that are protected with HTTP authentication without knowing the correct credentials

Description: The default Apache configuration did not include mod_hfs_apple. If Apache was manually enabled and the configuration was not changed, some files that should not be accessible might have been accessible using a specially crafted URL. This issue was addressed by enabling mod_hfs_apple.

Impact: An attacker with a privileged network position may be able to intercept network traffic

Description: An intermediate certificate was incorrectly issued by the certificate authority CNNIC. This issue was addressed through the addition of a mechanism to trust only a subset of certificates issued prior to the mis-issuance of the intermediate. You can learn more about the security partial trust allow list.

Impact: Processing a maliciously crafted text file may lead to an unexpected application termination or arbitrary code execution

Description: Multiple memory corruption issues existed in the processing of text files. These issues were addressed through improved bounds checking.

CVE-ID

CVE-2015-1157

CVE-2015-3685 : Apple

CVE-2015-3686 : John Villamil (@day6reak), Yahoo Pentest Team

CVE-2015-3687 : John Villamil (@day6reak), Yahoo Pentest Team

CVE-2015-3688 : John Villamil (@day6reak), Yahoo Pentest Team

CVE-2015-3689 : Apple

coreTLS

Available for: OS X Yosemite v10.10 to v10.10.3

Impact: An attacker with a privileged network position may intercept SSL/TLS connections

Description: coreTLS accepted short ephemeral Diffie-Hellman (DH) keys, as used in export-strength ephemeral DH cipher suites. This issue, also known as Logjam, allowed an attacker with a privileged network position to downgrade security to 512-bit DH if the server supported an export-strength ephemeral DH cipher suite. The issue was addressed by increasing the default minimum size allowed for DH ephemeral keys to 768 bits.

Impact: A malicious application may be able to determine kernel memory layout

Description: An information disclosure issue existed in the processing of disk images. This issue was addressed through improved memory management.

CVE-ID

CVE-2015-3690 : Peter Rutenbar working with HP's Zero Day Initiative

Display Drivers

Available for: OS X Yosemite v10.10 to v10.10.3

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: An issue existed in the Monitor Control Command Set kernel extension by which a userland process could control the value of a function pointer within the kernel. The issue was addressed by removing the affected interface.

Impact: A malicious application may be able to determine kernel memory layout

Description: A memory management issue existed in the handling of APIs related to kernel extensions which could have led to the disclosure of kernel memory layout. This issue was addressed through improved memory management.

CVE-ID

CVE-2015-3720 : Stefan Esser

Kernel

Available for: OS X Yosemite v10.10 to v10.10.3

Impact: A malicious application may be able to determine kernel memory layout

Description: A memory management issue existed in the handling of HFS parameters which could have led to the disclosure of kernel memory layout. This issue was addressed through improved memory management.

CVE-ID

CVE-2015-3721 : Ian Beer of Google Project Zero

kext tools

Available for: OS X Yosemite v10.10 to v10.10.3

Impact: A malicious application may be able to overwrite arbitrary files

Description: kextd followed symbolic links while creating a new file. This issue was addressed through improved handling of symbolic links.

CVE-ID

CVE-2015-3708 : Ian Beer of Google Project Zero

kext tools

Available for: OS X Yosemite v10.10 to v10.10.3

Impact: A local user may be able to load unsigned kernel extensions

Description: A time-of-check time-of-use (TOCTOU) race condition condition existed while validating the paths of kernel extensions. This issue was addressed through improved checks to validate the path of the kernel extensions.

CVE-ID

CVE-2015-3709 : Ian Beer of Google Project Zero

Mail

Available for: OS X Yosemite v10.10 to v10.10.3

Impact: A maliciously crafted email can replace the message content with an arbitrary webpage when the message is viewed

Description: An issue existed in the support for HTML email which allowed message content to be refreshed with an arbitrary webpage. The issue was addressed through restricted support for HTML content.

Description: An integer overflow existed in the Security framework code for parsing S/MIME e-mail and some other signed or encrypted objects. This issue was addressed through improved validity checking.

Description: An API issue existed in SQLite functionality. This was addressed through improved restrictions.

CVE-ID

CVE-2015-7036 : Peter Rutenbar working with HP's Zero Day Initiative

System Stats

Available for: OS X Yosemite v10.10 to v10.10.3

Impact: A malicious app may be able to compromise systemstatsd

Description: A type confusion issue existed in systemstatsd's handling of interprocess communication. By sending a maliciously formatted message to systemstatsd, it may have been possible to execute arbitrary code as the systemstatsd process. The issue was addressed through additional type checking.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.